Solved

Is there a way to block a GPO from reaching a particular computer without putting the computer in an OU with block inheritance set?

Posted on 2008-10-15
5
386 Views
Last Modified: 2010-04-21
Is there a way to block a GPO from reaching a particular computer without putting the computer in an OU with block policy inheritance set?  I want to block a software GPO policy on particular computers, but I don't want to move the computer(s) to their own OU.

Thank you!
0
Comment
Question by:cc_mbx
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 13

Accepted Solution

by:
martin_babarik earned 200 total points
ID: 22728410
Hello.

yes it quite simple: put all of those computers to a security group and in Group policy management console select the GPO you want to block, switch to a Delegation tab, add a group here to a list, then select the group, click Advanced and assign them Deny permission for Read and Apply group policy object.
Martin
0
 
LVL 30

Assisted Solution

by:LauraEHunterMVP
LauraEHunterMVP earned 100 total points
ID: 22729395
It's important to note that the computers in question will need to be rebooted after they have been added to the security group in question.
0
 
LVL 6

Assisted Solution

by:deiaccord
deiaccord earned 200 total points
ID: 22729539
Another alternative is when you link the GPO associate it with a WMI filter.

To create a WMI filter under Group Policy Management you should have a WMI filters section for the domain in question. Create a new filter with settings something like the below

Namespace: root\CIMV2
Query: SELECT * FROM Win32_ComputerSystem WHERE Name <> 'Computer1' OR Name <> 'Computer2'

Attach this to your GPO and computers called Computer1 or Computer2 will not get the GPO applied to them
0
 
LVL 13

Expert Comment

by:martin_babarik
ID: 22729705
Thank you Laura for adding this comment, quite important:-)
Martin
0
 

Author Closing Comment

by:cc_mbx
ID: 31506608
Thank you!
0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question